# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. # # This file contains (i) proprietary rules that were created, tested and certified by # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by # Sourcefire and other third parties (the "GPL Rules") that are distributed under the # GNU General Public License (GPL), v2. # # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a # list of third party owners and their respective copyrights. # # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer # to the VRT Certified Rules License Agreement (v2.0). # #---------------- # OS-OTHER RULES #---------------- # alert tcp $EXTERNAL_NET any -> $HOME_NET [1211,1210] (msg:"OS-OTHER CoDeSys Gateway Server Denial of Service attempt detected"; flow:established,to_server; content:"|DD DD|"; depth:2; byte_test:4,>=,4127195136,12,relative,little; metadata:policy security-ips drop; reference:bugtraq,58032; reference:cve,2012-4707; classtype:attempted-dos; sid:29604; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER DLink IP camera remote command execution vulnerability - access to vulnerable rtpd.cgi"; flow:to_server,established; content:"/cgi-bin/rtpd.cgi?"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2013-1599; reference:url,seclists.org/fulldisclosure/2013/Apr/253; classtype:attempted-admin; sid:26559; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-OTHER Nintendo User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"nintendo"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*nintendo/iH"; metadata:ruleset community, service http; classtype:policy-violation; sid:25525; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"OS-OTHER Cisco Nexus OS software command injection attempt"; flow:established,to_server; content:"sec"; fast_pattern:only; content:"sh"; nocase; content:"|7C|"; within:75; content:"sec"; within:75; content:"|7C|"; within:75; pcre:"/sh(o|ow)?[^\x7c]*\x7c\s*sec(t?i?o?n?)?[^\x7c]*\x7c[^\r\n\x00]*([$`{}<>()\x3b]|\x2f?(bin|etc|flash|usr|lib|sys|\x2f?(ba)?sh|boot|config|rc|config))/i"; metadata:service telnet; reference:cve,2011-2569; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=24458; classtype:attempted-admin; sid:25020; rev:2;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-OTHER Cisco NHRP incorrect packet size"; ip_proto:54; content:"|FF FF|"; depth:2; offset:10; reference:bugtraq,25238; reference:cve,2007-4286; classtype:attempted-user; sid:12300; rev:4;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-OTHER Cisco NHRP incorrect packet size"; ip_proto:47; content:" |01|"; depth:2; offset:2; content:"|FF FF|"; depth:2; offset:14; reference:bugtraq,25238; reference:cve,2007-4286; classtype:attempted-user; sid:12299; rev:4;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OS-OTHER Cisco IOS HTTP configuration attempt"; flow:to_server,established; content:"/level/"; http_uri; pcre:"/\x2flevel\x2f\d+\x2f(exec|configure)/iU"; metadata:ruleset community, service http; reference:bugtraq,2936; reference:cve,2001-0537; reference:nessus,10700; classtype:web-application-attack; sid:1250; rev:21;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-OTHER x86 FreeBSD overflow attempt"; flow:to_server,established; content:"|EB|n^|C6 06 9A|1|C9 89|N|01 C6|F|05|"; metadata:ruleset community, service dns; classtype:attempted-admin; sid:266; rev:15;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31978; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31977; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31976; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"%3D%28%29+%7B"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31975; rev:5;) alert udp $HOME_NET 67 -> $HOME_NET 68 (msg:"OS-OTHER Malicious DHCP server bash environment variable injection attempt"; flow:stateless; content:"() {"; fast_pattern:only; content:"|02 01 06 00|"; depth:4; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31985; rev:6;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; content:"RCPT"; nocase; content:"TO|3A|"; distance:0; nocase; pcre:"/^\s*?RCPT\s+?TO\x3a[^\r\n]*?\x28\x29\s\x7b/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32039; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; content:"MAIL"; nocase; content:"FROM|3A|"; distance:0; nocase; pcre:"/^\s*?MAIL\s+?FROM\x3a[^\r\n]*?\x28\x29\s\x7b/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32038; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; content:"USER "; depth:5; content:"() {"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32043; rev:3;) # alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32042; rev:4;) # alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Bash CGI nested loops word_lineno denial of service attempt"; flow:to_server,established; file_data; content:"for"; nocase; content:"in {"; within:10; content:"|7C| bash |7C 7C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-7187; reference:url,shellshocker.net/; classtype:attempted-dos; sid:32049; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Bash CGI nested loops word_lineno denial of service attempt"; flow:to_client,established; file_data; content:"for"; nocase; content:"in {"; within:10; content:"|7C| bash |7C 7C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-7187; reference:url,shellshocker.net/; classtype:attempted-dos; sid:32047; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Bash redir_stack here document handling denial of service attempt"; flow:to_client, established; file_data; content:"printf '< $HOME_NET any (msg:"OS-OTHER Bash redir_stack here document handling denial of service attempt"; flow:to_client, established; file_data; content:"< $HOME_NET 21 (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; content:"PASS "; depth:5; content:"() {"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32069; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; content:"() {"; http_cookie; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32336; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:" () {"; depth:50; urilen:>0,norm; content:!"HTTP/"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32335; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; content:"() {"; content:"}"; within:25; pcre:"/^[\w\x2d\x5f]+?\x3a\s*?\x28\x29\s\x7b/mi"; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32366; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER QEMU floppy disk controller buffer overflow attempt"; flow:to_server,established; file_data; content:"|C7 44 24 08 01 00 00 00 C7 44 24 04 07 00 00 00 C7 04 24 F0 03 00 00 E8 90 FE FF FF C7 44 24 04 F4 03 00 00 C7 04 24 80 00 00 00 E8 A9 FF FF FF|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,74640; reference:cve,2015-3456; classtype:attempted-admin; sid:34488; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER QEMU floppy disk controller buffer overflow attempt"; flow:to_client,established; file_data; content:"|C7 44 24 08 01 00 00 00 C7 44 24 04 07 00 00 00 C7 04 24 F0 03 00 00 E8 90 FE FF FF C7 44 24 04 F4 03 00 00 C7 04 24 80 00 00 00 E8 A9 FF FF FF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,74640; reference:cve,2015-3456; classtype:attempted-admin; sid:34487; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER QEMU floppy disk controller buffer overflow attempt"; flow:to_server,established; file_data; content:"|C7 04 24 03 00 00 00 E8 C0 FE FF FF C7 44 24 04 F5 03 00 00 C7 04 24 0A 00 00 00 E8 B9 FF FF FF C7 44 24 1C 00 00 00 00 EB 19 C7 44 24 04 F5 03|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,74640; reference:cve,2015-3456; classtype:attempted-admin; sid:34486; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER QEMU floppy disk controller buffer overflow attempt"; flow:to_client,established; file_data; content:"|C7 04 24 03 00 00 00 E8 C0 FE FF FF C7 44 24 04 F5 03 00 00 C7 04 24 0A 00 00 00 E8 B9 FF FF FF C7 44 24 1C 00 00 00 00 EB 19 C7 44 24 04 F5 03|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,74640; reference:cve,2015-3456; classtype:attempted-admin; sid:34485; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER QEMU floppy disk controller buffer overflow attempt"; flow:to_server,established; file_data; content:"|BA 01 00 00 00 BE 07 00 00 00 BF F0 03 00 00 E8 C1 FE FF FF BE F4 03 00 00 BF 80 00 00 00 E8 BF FF FF FF BE F5 03 00 00 BF 0A 00 00 00 E8 B0 FF|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,74640; reference:cve,2015-3456; classtype:attempted-admin; sid:34484; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER QEMU floppy disk controller buffer overflow attempt"; flow:to_client,established; file_data; content:"|BA 01 00 00 00 BE 07 00 00 00 BF F0 03 00 00 E8 C1 FE FF FF BE F4 03 00 00 BF 80 00 00 00 E8 BF FF FF FF BE F5 03 00 00 BF 0A 00 00 00 E8 B0 FF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,74640; reference:cve,2015-3456; classtype:attempted-admin; sid:34483; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER QEMU floppy disk controller buffer overflow attempt"; flow:to_server,established; file_data; content:"|BF 03 00 00 00 E8 B7 FE FF FF BE F5 03 00 00 BF 0A 00 00 00 E8 C5 FF FF FF C7 45 FC 00 00 00 00 EB 13 BE F5 03 00 00 BF 42 00 00 00 E8 AD FF FF|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,74640; reference:cve,2015-3456; classtype:attempted-admin; sid:34482; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER QEMU floppy disk controller buffer overflow attempt"; flow:to_client,established; file_data; content:"|BF 03 00 00 00 E8 B7 FE FF FF BE F5 03 00 00 BF 0A 00 00 00 E8 C5 FF FF FF C7 45 FC 00 00 00 00 EB 13 BE F5 03 00 00 BF 42 00 00 00 E8 AD FF FF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,74640; reference:cve,2015-3456; classtype:attempted-admin; sid:34481; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"OS-OTHER Cisco Nexus OS software command injection attempt"; flow:established,to_server; content:"less"; fast_pattern:only; content:"sh"; nocase; content:"|7C|"; within:75; content:"less"; within:75; content:"|7C|"; within:75; pcre:"/sh(o|ow)?[^\x7c]*\x7c\s*less?[^\x7c]*\x7c[^\r\n\x00]*([$`{}<>()\x3b]|\x2f?(bin|etc|flash|usr|lib|sys|\x2f?(ba)?sh|boot|config|rc|config))/i"; metadata:policy max-detect-ips drop, service telnet; reference:cve,2011-2569; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=24458; classtype:attempted-admin; sid:25019; rev:6;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER OS X DYLD_PRINT_TO_FILE privilege escalation attempt"; flow:to_server,established; file_data; content:"DYLD_PRINT_TO_FILE="; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.rapid7.com/db/modules/exploit/osx/local/dyld_print_to_file_root; reference:url,www.sektioneins.de/en/blog/15-07-07-dyld_print_to_file_lpe.html; classtype:attempted-admin; sid:35736; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER OS X DYLD_PRINT_TO_FILE privilege escalation attempt"; flow:to_client,established; file_data; content:"DYLD_PRINT_TO_FILE="; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.rapid7.com/db/modules/exploit/osx/local/dyld_print_to_file_root; reference:url,www.sektioneins.de/en/blog/15-07-07-dyld_print_to_file_lpe.html; classtype:attempted-admin; sid:35735; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Joyent SmartOS add entries denial of service attempt"; flow:to_server,established; flowbits:isset,file.elf; file_data; content:"|C7 40 18 00 04 00 00|"; content:"|48 8D 55 D0 8B 45 E8 BE 01 48 00 00 89 C7 B8 00 00 00 00|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-9039; reference:cve,2016-9040; reference:url,www.talosintelligence.com/reports/TALOS-2016-0257/; reference:url,www.talosintelligence.com/reports/TALOS-2016-0258/; classtype:attempted-dos; sid:41218; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Joyent SmartOS add entries denial of service attempt"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"|C7 40 18 00 04 00 00|"; content:"|48 8D 55 D0 8B 45 E8 BE 01 48 00 00 89 C7 B8 00 00 00 00|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-9039; reference:cve,2016-9040; reference:url,www.talosintelligence.com/reports/TALOS-2016-0257/; reference:url,www.talosintelligence.com/reports/TALOS-2016-0258/; classtype:attempted-dos; sid:41217; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Joyent SmartOS file system path buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.elf; file_data; content:"|C7 40 08 00 04 00 00|"; content:"|89 45 E8 48 8D 55 D0 8B 45 E8 BE 01 48 00 00 89 C7 B8 00 00 00 00|"; within:130; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-9033; reference:cve,2016-9035; reference:url,www.talosintelligence.com/reports/TALOS-2016-0251/; reference:url,www.talosintelligence.com/reports/TALOS-2016-0253/; classtype:attempted-admin; sid:40903; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Joyent SmartOS file system path buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"|C7 40 08 00 04 00 00|"; content:"|89 45 E8 48 8D 55 D0 8B 45 E8 BE 01 48 00 00 89 C7 B8 00 00 00 00|"; within:130; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-9033; reference:cve,2016-9035; reference:url,www.talosintelligence.com/reports/TALOS-2016-0251/; reference:url,www.talosintelligence.com/reports/TALOS-2016-0253/; classtype:attempted-admin; sid:40902; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Joyent SmartOS file system name buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.elf; file_data; content:"|C7 40 18 00 04 00 00|"; content:"|89 45 D8 48 8D 55 C0 8B 45 D8 BE 01 48 00 00 89 C7 B8 00 00 00 00|"; within:75; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-9032; reference:cve,2016-9034; reference:url,www.talosintelligence.com/reports/TALOS-2016-0250/; reference:url,www.talosintelligence.com/reports/TALOS-2016-0252/; classtype:attempted-admin; sid:40901; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Joyent SmartOS file system name buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"|C7 40 18 00 04 00 00|"; content:"|89 45 D8 48 8D 55 C0 8B 45 D8 BE 01 48 00 00 89 C7 B8 00 00 00 00|"; within:75; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-9032; reference:cve,2016-9034; reference:url,www.talosintelligence.com/reports/TALOS-2016-0250/; reference:url,www.talosintelligence.com/reports/TALOS-2016-0252/; classtype:attempted-admin; sid:40900; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Joyent SmartOS ioctl integer underflow attempt"; flow:to_server,established; flowbits:isset,file.elf; file_data; content:"|C7 45 E8 FF FF FF FF|"; content:"|89 45 FC 48 8D 55 E0 8B 45 FC BE 01 48 00 00 89 C7 B8 00 00 00 00|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8733; reference:cve,2016-9031; reference:url,www.talosintelligence.com/reports/TALOS-2016-0248/; reference:url,www.talosintelligence.com/reports/TALOS-2016-0249/; classtype:attempted-admin; sid:40899; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Joyent SmartOS ioctl integer underflow attempt"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"|C7 45 E8 FF FF FF FF|"; content:"|89 45 FC 48 8D 55 E0 8B 45 FC BE 01 48 00 00 89 C7 B8 00 00 00 00|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8733; reference:cve,2016-9031; reference:url,www.talosintelligence.com/reports/TALOS-2016-0248/; reference:url,www.talosintelligence.com/reports/TALOS-2016-0249/; classtype:attempted-admin; sid:40898; rev:3;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-OTHER Apple OSX and iOS x509 certificate name constraints parsing use after free attempt"; flow:to_client,established; content:"|06 03 55 1D 1E 04|"; content:"|30|"; within:1; distance:1; content:"|A0|"; within:1; distance:1; content:"|30|"; within:1; distance:1; byte_test:1,>,0x84,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssl; reference:cve,2017-2485; reference:url,www.talosintelligence.com/reports/TALOS-2017-0296/; classtype:attempted-admin; sid:41999; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt"; flow:to_client,established; content:"301"; fast_pattern:only; content:"301"; http_stat_code; content:"OK"; http_stat_msg; metadata:service http; reference:cve,2007-0464; classtype:denial-of-service; sid:43388; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"|48 8B|"; byte_extract:4,1,array,relative; content:"|48 FF C0 48 89|"; within:10; byte_test:4,=,array,1,relative; content:"|48 83|"; within:20; byte_test:4,=,array,1,relative; content:"|E8|"; within:15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45368; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"|48 8B|"; byte_extract:4,1,array,relative; content:"|48 FF C0 48 89|"; within:10; byte_test:4,=,array,1,relative; content:"|48 83|"; within:20; byte_test:4,=,array,1,relative; content:"|E8|"; within:15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45367; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Intel x86 side-channel analysis information leak attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"|68 00 08 00 00 8D 85 F8 F7 FF FF 89 15 CC 5A 40 00 68 FF 00 00 00 50 C7 83 40 1F 00 00 01 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45366; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Intel x86 side-channel analysis information leak attempt"; flow:to_client,established; file_data; content:"x = ((j % 6) - 1) & ~0xFFFF|3B| /* Set x=FFF.FF000"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45365; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Intel x86 side-channel analysis information leak attempt"; flow:to_client,established; file_data; content:"L2_cache_clear = (BYTE*)VirtualAlloc(0, 256 * 4096"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45364; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Intel x86 side-channel analysis information leak attempt"; flow:to_client,established; file_data; content:"localJunk ^= probeTable[index|7C|0]|7C|0|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45363; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Intel x86 side-channel analysis information leak attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"|B8 08 00 00 00 48 69 C0 E8 03 00 00 48 8D 0D 79 6F 00 00 48 8B 95 D0 0C 00 00 48 89 14 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45362; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Intel x86 side-channel analysis information leak attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"|68 00 08 00 00 8D 85 F8 F7 FF FF 89 15 CC 5A 40 00 68 FF 00 00 00 50 C7 83 40 1F 00 00 01 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45361; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Intel x86 side-channel analysis information leak attempt"; flow:to_server,established; file_data; content:"x = ((j % 6) - 1) & ~0xFFFF|3B| /* Set x=FFF.FF000"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45360; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Intel x86 side-channel analysis information leak attempt"; flow:to_server,established; file_data; content:"L2_cache_clear = (BYTE*)VirtualAlloc(0, 256 * 4096"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45359; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Intel x86 side-channel analysis information leak attempt"; flow:to_server,established; file_data; content:"localJunk ^= probeTable[index|7C|0]|7C|0|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45358; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Intel x86 side-channel analysis information leak attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"|B8 08 00 00 00 48 69 C0 E8 03 00 00 48 8D 0D 79 6F 00 00 48 8B 95 D0 0C 00 00 48 89 14 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45357; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Mac OS X setuid privilege esclatation exploit attempt"; flow:to_client,established; file_data; content:"/Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy"; fast_pattern:only; content:"/Applications/Utilities/Activity Monitor.app/Contents/Resources/pmTool"; content:"/Applications/Utilities/ODBC Administrator.app/Contents/Resources/iodbcadmintool"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-0345; classtype:attempted-admin; sid:45386; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Mac OS X setuid privilege esclatation exploit attempt"; flow:to_server,established; file_data; content:"/Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy"; fast_pattern:only; content:"/Applications/Utilities/Activity Monitor.app/Contents/Resources/pmTool"; content:"/Applications/Utilities/ODBC Administrator.app/Contents/Resources/iodbcadmintool"; metadata:service smtp; reference:cve,2007-0345; classtype:attempted-admin; sid:45385; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe|file.elf; content:"|0F 01 F9|"; content:"|0F 01 F9|"; within:50; content:"|0F AE|"; byte_test:1,=,3,0,relative,bitmask 0xF0; content:"|0F AE|"; within:75; byte_test:1,=,3,0,relative,bitmask 0xF0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45444; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe|file.elf; content:"|0F 01 F9|"; content:"|0F 01 F9|"; within:50; content:"|0F AE|"; byte_test:1,=,3,0,relative,bitmask 0xF0; content:"|0F AE|"; within:75; byte_test:1,=,3,0,relative,bitmask 0xF0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45443; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"OS-OTHER Apple macOS IOHIDeous exploit download attempt"; flow:to_server,established; file_data; flowbits:isset,file.macho64le; content:"/bin/launchctl reboot logout"; fast_pattern:only; content:"IOHIDSystem"; content:"IOHIDUserClient"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1152; classtype:attempted-user; sid:45419; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Apple macOS IOHIDeous exploit download attempt"; flow:to_client,established; file_data; flowbits:isset,file.macho64le; content:"/bin/launchctl reboot logout"; fast_pattern:only; content:"IOHIDSystem"; content:"IOHIDUserClient"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1152; classtype:attempted-user; sid:45418; rev:3;) # alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-OTHER FreeBSD sctp6_ctlinput null pointer dereference attempt"; itype:<5; content:"|60 00 00 00|"; depth:4; content:"|84|"; within:1; distance:2; byte_test:2,<,12,-3,relative; metadata:policy max-detect-ips drop; reference:cve,2016-1879; reference:url,www.freebsd.org/security/advisories/FreeBSD-SA-16:01.sctp.asc; classtype:attempted-dos; sid:46023; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Apple macOS and iOS fgetattrlist kernel heap overflow attempt"; flow:to_server,established; flowbits:isset,file.macho64le; file_data; content:"|C7|"; content:"|05 00|"; within:10; content:"|C7|"; within:8; content:"|FF 0F 00|"; within:10; content:"|C7|"; within:8; content:"|00 00 00 80|"; within:10; content:"|31 F6|"; content:"|E8|"; within:10; content:"|83|"; within:15; content:"|FF 0F 85|"; within:10; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4243; classtype:attempted-admin; sid:46991; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Apple macOS and iOS fgetattrlist kernel heap overflow attempt"; flow:to_client,established; flowbits:isset,file.macho64le; file_data; content:"|C7|"; content:"|05 00|"; within:10; content:"|C7|"; within:8; content:"|FF 0F 00|"; within:10; content:"|C7|"; within:8; content:"|00 00 00 80|"; within:10; content:"|31 F6|"; content:"|E8|"; within:10; content:"|83|"; within:15; content:"|FF 0F 85|"; within:10; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4243; classtype:attempted-admin; sid:46990; rev:1;)